[rspec-users] Getting past my login system

Ryan Tucker rctucker at u.washington.edu
Tue Jul 17 01:28:55 EDT 2007


Daniel N wrote:
>
>
> On 7/17/07, *Ryan Tucker* <rctucker at u.washington.edu 
> <mailto:rctucker at u.washington.edu>> wrote:
>
>     Daniel N wrote:
>     >
>     >
>     > On 7/17/07, *Ryan Tucker* <rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>
>     > <mailto:rctucker at u.washington.edu
>     <mailto:rctucker at u.washington.edu>>> wrote:
>     >
>     >     Ryan Tucker wrote:
>     >     > Thank you in advance for your help.  I am relatively new
>     to both
>     >     Rails
>     >     > and Rspec and I am hoping for some insight from some
>     experienced
>     >     veterans.
>     >     >
>     >     > Right now I am using Rspec for code that has already been
>     >     written so
>     >     > that additional functionality can be developed using the BDD
>     >     method. My
>     >     > problem shows up when I try to spec controllers that are
>     behind the
>     >     > login system.  Each page checks for the session[:user], and if
>     >     they do
>     >     > not exists, requires them to login.  Logging in is handled
>     by one
>     >     > controller (the Admin controller) and I want to access a
>     page under
>     >     > another controller (say a Students controller).
>     >     >
>     >     > In my students_controller_spec.rb, I want want to make sure
>     >     > http://test.host/students is successfully displayed, so I
>     wrote
>     >     > something like:
>     >     >
>     >     >   it "should be successful" do
>     >     >     get :index
>     >     >     response.should be_success
>     >     >   end
>     >     >
>     >     > The problem is that is keeps redirecting to my login page at
>     >     > http://test.host/login.  I tried then setting
>     session[:user] and
>     >     doing a
>     >     > post to my login page to simulate a login so that I could
>     access the
>     >     > correct page, but that does not seem to work.  I tried a
>     number of
>     >     > things, including the following:
>     >     >
>     >     > def do_login
>     >     >   @user = User.find(:first, :conditions => ['username = ?' ,
>     >     'ryan'] )
>     >     >   session[:user] = @ user.id <http://user.id> <http://user.id>
>     >     >   post :login, :path => []
>     >     > end
>     >     >
>     >     > describe StudentsController do
>     >     >   it "should be successful" do
>     >     >     do_login
>     >     >     get :index
>     >     >     response.should be_success
>     >     >   end
>     >     > end
>     >     >
>     >     > This still results in being redirected to the login page at
>     >     > http://test.host/login when I want to go to
>     >     http://test.host/students.
>     >     > Also, I realize I am actually doing a call on my test
>     database for
>     >     > this.  Part of the reason is that code that called during
>     login
>     >     checks
>     >     > fields of a user.  The other reason is I could not get it to
>     >     work using
>     >     > stubs, but that might just have been because I was not using
>     >     them properly.
>     >     >
>     >     > Any insight will be helpful, thanks!
>     >     >
>     >     > -Ryan
>     >     > _______________________________________________
>     >     > rspec-users mailing list
>     >     > rspec-users at rubyforge.org
>     <mailto:rspec-users at rubyforge.org> <mailto:
>     rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>>
>     >     > http://rubyforge.org/mailman/listinfo/rspec-users
>     >     >
>     >     Forgot one thing.
>     >
>     >     In trying to do the post, I get the error that "No action
>     >     responded to
>     >     login" suggesting that I am not properly accessing the login
>     >     function in
>     >     my Admin controller.
>     >
>     >     Thanks again,
>     >     Ryan
>     >
>     >
>     >
>     > Ryan, the login action is being called on
>     your  StudentsController and
>     > so it's not found.
>     >
>     > If it's the presence of the session[:user] that tells the
>     > before_filter that your logged in, the you don't need to do the
>     post.
>     > In fact you shouldn't post, since as you found out if you post to
>     > login, your posting to the login action of the controller your
>     > currently in.  Bad.  Your setting the session and you shouldn't need
>     > to do any more.
>     >
>     > HTH
>     > Daniel
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>
>     >
>     > _______________________________________________
>     > rspec-users mailing list
>     > rspec-users at rubyforge.org <mailto:rspec-users at rubyforge.org>
>     > http://rubyforge.org/mailman/listinfo/rspec-users
>     Thanks, Daniel.
>
>     That was my understanding as well, but, for some reason, that has not
>     been enough.  The post was an attempt to simulate an actual login by
>     posting to another controller (I know it was bad...) since just
>     setting
>     the session[:user] was not a success.  Thank you for your help though.
>
>     Take care,
>     Ryan
>
>
> Can you post your before_filter method that checks if your logged in?
>
> Also your login method in your Admin controller.
>
> Cheers
>  
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
  #  The Logins are to track a users activity, and this supports
  # when a user wants to access a page and needs to login first, sending 
them to it after they login.
  # Authenticate checks the username and password against the username 
and password in the
  # database.
  def login
    if request.post?
      if @current_user = User.authenticate(params[:username], 
params[:password])
        login = Login.create(:remote_ip => request.remote_ip.to_s, 
:user_agent => request.user_agent.to_s, :http_vars => request.env)
        @current_user.logins << login
        session[:user] = @current_user.id
        uri = session[:original_uri]
        session[:original_uri] = nil
        redirect_to uri || home_url
        return
      else
        flash[:error] = "Access denied"
      end
    end
   
    if session[:user]
      redirect_to home_url
      return false
    end
    set_page_title "Log In"
  end

  # This checks that there is a current user, and checks if they are active
  # In my case, I am keeping track of whether or not I have disabled
  # a user.  active?() returns true so long as they are have not been 
deactivated.
  def check_authentication
    unless @current_user and @current_user.active?
      session[:original_uri] = request.request_uri
      redirect_to log_in_url
      return false
    end
    true
  end


Thank you again for your help.

Take care,
Ryan


More information about the rspec-users mailing list